Why is your Perl site asking me to log in with another site's credentials?
Yesterday I came across another Perl-related site, called PrePAN, that asks me to log in with some other site's login information. I've seen this before on MetaCPAN and Play Perl and it makes me very uncomfortable. It goes against the security advice that I've been given for decades.
IT professionals have been encouraging people to use different passwords for different sites for many years. Yet, here are three Perl sites asking users to share their login credentials for another site. (DANGER, WILL ROBINSON!) If MetaCPAN wasn't such a popular and well respected web site I would assume some malicious and nefarious purpose. Even with honest intentions, if my login information at the "other site" is compromised, what's to stop someone from then using those credentials to log into MetaCPAN, PrePAN, or PlayPerl and wreak havoc upon my accounts or impersonate me?
I'm surprised that no one else has voiced concern about this. What's going on with these sites? If you've logged in to these sites, what made you decide to throw caution to the wind and do so?
I'm not a massive fan of this pattern, however I'll point out that when you log in to MetaCPAN (for example), you don't type your github username/password into a page hosted on metacpan.org; instead the site forwards you to github.com, you log in there, and GitHub forwards you back.
So MetaCPAN never sees your GitHub credentials. Technically, it's reasonably safe.
However, it does confuse many people, especially given that it appears to fly in the face of password security advice they've been getting for many years (don't give your password for one site to another site; use different passwords for different sites; etc).
"Verified by Visa"/"Mastercard SecureCode" also follows this pattern and are the worst offenders in that their password entry pages are often shown in iframes by the online shop wanting payment, thus obscuring the fact that you are (technically very securely - good!) providing your password directly to your card provider, and not to the shop.
This whole pattern is training people to be nice little phishing victims.
Managing credentials and confirming identities is not trivial to do well/securely, so I think many sites are just outsourcing that to a third party that is widely trusted. It's a form of laziness (possibly in the good way).
See OAuth for more.
Hi Toby
I wouldn't use or recommend the infamous 'Verified by Visa':
http://www.lightbluetouchpaper.org/2010/01/26/how-online-card-security-fails/
Cheers
Ron
What dagolden said. I don't want to be responsible for the sensitive data. You can say that people should choose the different passwords for each website, but you can't enforce it, so losing the DB full of passwords is still a disaster, even if these passwords are encrypted.
PlayPerl used Twitter credentials initially, because it was the easiest route to implement.
These days, PlayPerl (also known as Questhub) gives you the option to log in with email using Mozilla Persona, which is the best of both worlds: you don't have to invent a new password, but you can choose any credentials provider, be it Mozilla, some other big player which implements Persona protocol, or your own private server.
PS: It's not possible to migrate from Twitter account to Persona yet, but it will be possible in the future.
So is Mozilla Persona the new OpenID?
OK, fair enough. But when I click on the "Sign in with Twitter" button, Twitter's web site tells me that when log in that your site will be about to:
* Read Tweets from your timeline.
* See who you follow.
If that's the case you need a privacy policy since users signing in with this service will expose you to private data in their Twitter accounts that they might not want to share with you.
Yes, you're right about a privacy policy. I don't speak Legal, but I'll look into it.